
Originally Posted by
AcarX
I appriciate all the help guys. I'd like to clarify my aim once again though. If possible I'd like to analyze packet structures through client instead being dependant on an online server. While I was messing around in IDA I found bunch of strings such as "Agpm::Character OnReceive(1) ..", "Agpm::Item OnReceive(1)". I believe Agpm stands for "Archlord game packet manager". Although I wasn't abled to make much sense of what was happening due to my lack of assembly knowledge.
If that is the goal, you are in for a long hard trip, as most games do not leave enough information to "easily" pull structure data from ASM.
Most of the time it simply compiles the data for each opcode function and copies it to a reserved set of memory that was created based on the final packet size. That memory location is than usually pushed to whatever function handles the encryption if any is present.
So really what you are looking at doing is a ton of reverse engineering to go step by step as a particular packet is received and handled to see what kind of data that it pulls off and an attempts to see what it does with that data. This is usually why people take large dumps of packets and analyze them so they can see the exact data in use and modify it as they need to see the desired effect.
Ill use another game as an example.
Here is the packet data for character deletion, decrypted of course.
Code:
12 00 18 05 02 00 00 00 06 33 34 35 33 34 35 00 ........ .345345.
2E 1A ..
I know from working with the game for a few days that the opcode for the function is 0x0518
Here is the function in game that creates that packet.
Code:
CPU Disasm
Address Hex dump Command Comments
00818E10 /$ 55 PUSH EBP ; GDMO.00818E10(guessed Arg1,Arg2)
00818E11 |. 8BEC MOV EBP,ESP
00818E13 |. 51 PUSH ECX
00818E14 |. 894D FC MOV DWORD PTR SS:[LOCAL.1],ECX
00818E17 |. 68 18050000 PUSH 518 ; /Arg1 = 518
00818E1C |. 8B4D FC MOV ECX,DWORD PTR SS:[LOCAL.1] ; |
00818E1F |. E8 DC86C0FF CALL 00421500 ; \GDMO.00421500
00818E24 |. 8B45 08 MOV EAX,DWORD PTR SS:[ARG.1]
00818E27 |. 50 PUSH EAX ; /Arg1 => [ARG.1]
00818E28 |. 8B4D FC MOV ECX,DWORD PTR SS:[LOCAL.1] ; |
00818E2B |. E8 507DC0FF CALL 00420B80 ; \GDMO.00420B80
00818E30 |. 8B4D 0C MOV ECX,DWORD PTR SS:[ARG.2]
00818E33 |. 51 PUSH ECX ; /Arg1 => [ARG.2]
00818E34 |. 8B4D FC MOV ECX,DWORD PTR SS:[LOCAL.1] ; |
00818E37 |. E8 1488C0FF CALL 00421650 ; \GDMO.00421650
00818E3C |. 68 18050000 PUSH 518 ; /Arg1 = 518
00818E41 |. 8B4D FC MOV ECX,DWORD PTR SS:[LOCAL.1] ; |
00818E44 |. E8 9786C0FF CALL 004214E0 ; \GDMO.004214E0
00818E49 |. 8B4D FC MOV ECX,DWORD PTR SS:[LOCAL.1]
00818E4C |. E8 0F81C0FF CALL 00420F60 ; [GDMO.00420F60
00818E51 |. 8BE5 MOV ESP,EBP
00818E53 |. 5D POP EBP
00818E54 \. C2 0800 RETN 8
Can you tell what the structure of the above packet is by looking at the dump?
How about with this?
Code:
int __thiscall sub_818E10(void *this, char Src, wchar_t *Str)
{
void *v3; // ST04_4@1
v3 = this;
sub_421500((int)this, 1304);
sub_420B80(Src);
sub_421650(Str);
sub_4214E0(v3, 1304);
return sub_420F60(v3);
}
I know the structure of the above packet and code, it basically breaks down to this.
Code:
#pragma pack(push, 1)
struct MSG_REQUEST_CHAR_DELETE
{
WORD pSize; //Packet Size
WORD pFunction; //Packet Function
DWORD cNumber; //Character slot to delete
BYTE nSize; //Size of character name
CHAR * cEmail; //Email address to verify delete
BYTE bPad; //0x00 for padding
WORD sWord; //Security bytes for packet.
};
#pragma pack(pop)
So I guess my final point is this, unless you are very intimate with the game in question, it is going to be difficult to do what you want, and my advice is to learn from the packets first and than perhaps eventually you will be able to spot them in ASM. I usually dump the packets first, than if I find one that interests me that I cannot figure out without looking at the ASM, I search for the opcode for the function and just debug it as it processes that particular packet.
Sorry if this is not what you wanted, I am just trying to save you some time.
//Edit
This is a overly simplified example, the code above is now the complete code used to handle the deletion, it is simply the building of the packet. Prior steps include parsing the email entry and verifying the size etc. of it.
- - - Updated - - -
Also if you want, I can see about creating a system that will dump the packets for you in their decrypted form, assuming the game is still live.